Saturday, December 28, 2013

The Conditions that Created the Perfect World for Cybercrime

Note: This is a section of the full research paper

Computer crime has changed from a 1970s characterization of hobbyists committing pranks and ‘exploring’ computer systems to a present day horizontally integrated industry of exploit researchers, malware writers, hackers, fraudster, and money mules that cause hundreds of millions of dollars in damages annually.  The articles below illustrate the juxtaposition of computer crimes from earlier decades with those of the present.

Teaching Hackers Ethics
Newsweek – January 14, 1985
The parents of "Echo Man," 16, "Thr ee Rocks," 15, and "Uncle Sam," 17, probably thought they were in their rooms doing homework.  Instead, the Burlingame, Calif., teen-agers were programming their Apples to scan the Sprint telephone-service computers for valid access numbers, which they used to make free calls.  The hackers then posted the numbers on an electronic bulletin board, so others could share in the spoils.  That was their undoing. Local police, who had been monitoring the bulletin board, raided each of the hackers' homes last month and found enough evidence to charge them with felony theft and wire fraud.

FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms[1]
Washington Post, Brian Krebs – October 26, 2009
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim’s online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company’s online account…

How do you explain the typical computer crime making the leap from petty phone access theft in the 70s to huge heists in 00s? As it turns out, in each decade, the computer crimes fit pretty well with the demographics of their time. The type and frequency of computer crime occurring in each decade seems to have been shaped by three demographics:
·      The number of computers online
·      The type and amount of online commerce
·      The globalization of internet use

The number of crime targets is limited by the number of computers online. The profitability of a target is dependent on the type of commerce being conducted on the computers. And the likelihood of being caught is positively correlated with the effectiveness of law enforcement in prosecuting crimes which, I have observed, is inversely proportional with the globalization of the internet.

As these demographics evolved, so too did the crime.

The Perfect Conditions for Crime

What are the perfect conditions for crime? How about easy targets, high profits, and very little chance of being caught.

That is what the Internet provides – lots of easy targets where 220 million people are online in the U.S. alone and with very weak security. An almost guaranteed high return – 50 million people in the U.S. conducting banking online. And little chance of being caught – attribution of crime on the Internet is nearly impossible and governments don’t have the resources to handle the volume, let alone the high cost of international investigations. They successfully prosecute a few per year for publicity, but little else. The Internet is the perfect place to commit crime.

It took until the late 1990s for these conditions to converge to create the perfect storm.  Before that essential elements were missing – people, connectivity, commerce, and insecurity.

+ Computers and Connectivity
The first dimension to set in to motion was personal and commercial use of computers in the mid 1970s. In the 70s there weren’t very many computer systems and they weren’t interconnected. In the 80s private citizen computer ownership started ramping up, but their connectivity was limited largely to computer-to-computer modem services and access to the Internet was restricted to government and university. In the 90s the government opened up the Internet to commercial and then public access. By the end of the decade, about half of the U.S. population was ‘online’.

+ Commerce
The explosion of online commerce was another important ingredient in creating the cyber crime environment. Without commerce, all the potential targets connected to the Internet are just targets. With commerce, computers become rich targets – credit card processing systems and automated tellers. In 2000, 40 million people in the U.S. had ever bought something online[2]. By 2008, that number reached 201 million[3]. Nearly everyone who can shop online does shop online.

In 1998 8 million people in the U.S. were conducting banking online. By 2008 that grew to 50 million – 23% of online users and fully 17% of the entire U.S. population! Consider this fact: there are about 220 million people in the U.S. who use the Internet regularly. Twenty-three percent of them – 50 million – conduct banking online. 

+ Insecurity
The build out of the Internet network infrastructure and the connected systems was fast and furious. At this pace, all focus was on feature and functionality. Little thought was given to the consequences of the risks and to the security requirements of such a critical, complex infrastructure.  As a security consultant in the late 1990s, I examined up close the lack of security controls in even critical infrastructure. On one engagement, my co-worker and I were called up on short notice to conduct an Internet perimeter test of a company that provided core processing services to credit unions. One of their services was outsourced Internet Banking. Compromising their perimeter was simple, taking about 10 minutes. We scanned their public address space for common ports, noticed 135 and 139 were listening on their Internet Banking server, established a net session and went to work guessing the administrator account password. The password was ‘snow’. It was easy pickings from there. Towards the end of the engagement, I met on-site with the company’s system administrators to discuss the findings. In response to my recommendations they asked, “What is a firewall?”

+ Internationalization and No Law Enforcement
In 1998 – 1999 about 80% of the people using the Internet were U.S. citizens and about 95% were U.S. citizens or citizens of U.S. allied countries.[4] Under these conditions, serious computer crimes could be investigated and prosecuted because the crimes were largely occurring from within the borders of governments that were willing to cooperate in cyber crime investigations. This acted as a deterrent of sorts, deterring many people from committing really serious cyber crimes.

Even in to 2000, people using the Internet in developing economies were limited to the professional class – people in government, education, and industry, due to Internet access constraints. As Internet accessibility increased and cost decreased non-professionals quickly got online. By 2005, the number of Internet users in BRIC countries – Brazil, Russia, India, and China – surpassed the number of Internet users in the U.S. Among these Internet users were, as in other countries, criminals. The difference this time though was that governments proved inept in dealing with the volume, the costs and international legal and political barriers of prosecuting crime.  And frankly, non-U.S. allies were and continue to not be seriously interested in assisting other countries in criminal investigations. Ever contact a bank in Russia to request that they return a fraudulent wire? Ever participated in an FBI investigation that requires cooperation of Chinese authorities? Good luck.

The early financially driven international cyber crime spree in 2001 – 2002 went unchecked. This encouraged additional investment in cyber crime. Success continued to meet success, which continues to spiral to where we are today.